Companies too often focus on fixing the wrong software vulnerabilities, leaving themselves open to attack, a security expert says. Core Security is releasing at Black Hat a model to help companies properly patch flaws.

LAS VEGAS—When security teams patch software vulnerabilities in their systems, they too often focus on the wrong issues, patching the holes that are easiest to fix rather than fixing the flaws that are most likely to be the focus of attackers.
To help companies improve their handling of software flaws, vulnerability management firm Core Security will release, at the Black Hat security conference here this week, a model for companies to analyze their ability to properly patch software insecurities and a roadmap to improve their response. The model can be used by information security professionals to avoid data overload and better prioritize their vulnerability remediation efforts based on which flaws most threaten their business, Eric Cowperthwaite, vice president of advanced strategy at Core Security, told eWEEK.
"If you are a typical CISO [chief information security officer] and you have five or six staff, do you focus broadly on your entire security surface, or do you focus on what is important?" he said, adding that companies that take a more mature approach to software patching will be more secure. "By approaching the problem this way, there will be less vulnerabilities available for the bad guys to use."
Core Security's vulnerability management maturity model classifies a company's response into one of six levels, from firms with nonexistent programs to those organizations capable of managing an attack. The third level, for example, is where IT security professionals are meeting compliance obligations, beginning to work with IT operations and tracking metrics, but perhaps not the right ones.

The document, which Cowperthwaite has been developing using his experience as a former CISO for a large health care provider, also offers guidance for improving a company's vulnerability management processes. Companies that want to move beyond compliance, for example, should focus on meaningful metrics, create formal processes and use penetration testing to support their vulnerability management program.

In many ways, the model is part of a movement in the security industry to educate security professionals on best practices in security. The Building Security In Maturity Model (BSIMM), for example, is a study of the security processes at nearly 70 companies and acts as a guide for businesses that want to compare their security processes to other firms.
The maturity models also contradict the trend of equating security with buying security products, Cowperthwaite says.
"One reason that we are putting out a maturity model on vulnerability management is because there is more to fixing your vulnerability problems than buying a new product," he said. "Changing the culture of a company is more powerful than buying a new firewall."
The vulnerability management maturity model will be released later this week at the Black Hat conference, Cowperthwaite said.